Analysis Overview
SHA256
2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca
Threat Level: Known bad
The file 2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe was found to be: Known bad.
Malicious Activity Summary
Cycbot
Cycbot family
Detects Cycbot payload
Reads user/profile data of web browsers
UPX packed file
Unsigned PE
System Location Discovery: System Language Discovery
Program crash
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-22 18:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-22 18:26
Reported
2024-11-22 18:28
Platform
win7-20240903-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Cycbot
Cycbot family
Detects Cycbot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe
"C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe"
C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe
C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe
C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | thebestpageintheuniverse.net | udp |
| US | 207.244.65.193:80 | thebestpageintheuniverse.net | tcp |
| US | 8.8.8.8:53 | zonetf.com | udp |
| US | 13.248.169.48:80 | zonetf.com | tcp |
| US | 13.248.169.48:80 | zonetf.com | tcp |
| US | 8.8.8.8:53 | onloneservermonitoring.com | udp |
| US | 13.248.169.48:80 | zonetf.com | tcp |
| US | 13.248.169.48:80 | zonetf.com | tcp |
| US | 13.248.169.48:80 | zonetf.com | tcp |
| US | 8.8.8.8:53 | zonetk.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| N/A | 127.0.0.1:60525 | tcp | |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| N/A | 127.0.0.1:60525 | tcp |
Files
memory/2356-1-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2356-2-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2336-6-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2336-7-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2356-17-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Users\Admin\AppData\Roaming\49F8.288
| MD5 | f45717326bd7cecfad365272e9de85f1 |
| SHA1 | 45f1ecc94b7881946332f7f00ff279cabeef5ee6 |
| SHA256 | f38e37a2ba8b5efdf2fab55866ce783f0a49107d878e83cdd95d36f88485cd9f |
| SHA512 | 5d823aa367c8aa159e094b64661a2b7059ed5447a4fc0c9033e734d0f4bb7be969d9135b05a73d85bc2106175dd655165c5af00b6e20fa938d7b6d06b8f333ed |
memory/2356-83-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1656-85-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Users\Admin\AppData\Roaming\49F8.288
| MD5 | 0655fd76fa38ebb506bba35ca6512126 |
| SHA1 | de332c808296f7885921aeec182e581fbae0e77a |
| SHA256 | d74da65ba01e1323b666cd5973c98d737cf7857d2d142d2f35eec3182bf861e9 |
| SHA512 | 04ab42ffcfa203d86114b2ed948cf1d75e6cf68206d4bb907c69dc13d39a14a405729286024e381814a32df05594daaadac3e700e2e36587dbf0d20a1222d81a |
C:\Users\Admin\AppData\Roaming\49F8.288
| MD5 | 2c9ce53ac612a0dd66d8a575e3530374 |
| SHA1 | 9c3aff0c22ca2997d8c13554dc5fa8cd1ca669df |
| SHA256 | 7ab079685dbc221524d199bc81cef002e94f208b5e70ac988d4d931da80349ec |
| SHA512 | 3e4d3e9bd1179efb99a8d4426e99f4c876b5953b4b1c5b659303ad244c74d6ce6c7d29607ccdd57087c89323ac49086419868b9dec5dd446d27f4f44889bb731 |
memory/2356-165-0x0000000000400000-0x0000000000447000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-22 18:26
Reported
2024-11-22 18:28
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
94s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe
"C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4400 -ip 4400
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 332
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.208.201.84.in-addr.arpa | udp |